Digitally Signed Malware Targeting Gaming Companies

The Cylance SPEAR™ team has been working diligently to identify and track relationships between malware using stolen Authenticode code-signing certificates and common command and control (C2) infrastructure. The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates.

Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs).

The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia.

In this post we expand the usage of the term 'PassCV' to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.

PassCV Background

The PassCV group typically utilized publicly available RATs in addition to some custom code, which ultimately provided backdoor functionality to affected systems via phony resumes and curriculum vitae (CVs). PassCV continues to maintain a heavy reliance on obfuscated and signed versions of older RATs like ZxShell and Ghost RAT, which have remained a favorite of the wider Chinese criminal community since their initial public release.

SPEAR identified recent PassCV samples which implemented another commercial off-the-shelf (COTS) RAT called Netwire. This tool offers the attacker full control of the victim/host and is perhaps best known for its cross-platform compatibility, which includes support for Windows, Linux, OSX, and Solaris.

Overall, the antivirus (AV) industry has barely kept pace with the PassCV group, and although some samples and families are well detected, the majority of the signed samples continue to have extremely low detection rates.

SPEAR was able to identify several other distinct malware families that we believe to be related to the PassCV group based upon common stolen Authenticode certificates. The Kitkiot and Sabresac (also known as Saber or Excalibur based upon strings in the binaries) malware families were deployed by the group for distinct purposes.

Saber is a custom RAT that periodically queries a web-based C2 server for commands. The only active instances SPEAR was able to identify were hosted on the Chinese code development site 'csdn(dot)net'. Kitkiot variants are commonly installed alongside other types of malware and often included additional functionality, including:

Denial of Service (DoS) and Distributed Denial of Service (DDoS) capabilities

The ability to hijack and steal in-game account information and items from multiple online gaming platforms

In some rare cases these were used for click-through advertising fraud.

The Saber Family

The Saber malware utilizes a custom base64 alphabet for decoding messages from its C2 servers. The malware will decode an obfuscated string found on the site it has been programmed to contact. It will then communicate to the actual C2 for further instructions to execute. SPEAR only observed samples that employed clear-text communication between the victim and the actual C2. The malware accepts any windows shell command the attackers pass back via the C2.

To start the C2 process, Saber samples commonly used blogs on the Chinese-based information technology and development website ‘blog.csdn[dot]net’. The malware executes an HTTP GET request to one or more blog page(s). The malware then looks for the string format 'saberstart.<encoded_string>.saberend' in the response data once the link is retrieved. The data stored between the strings 'saberstart.' and '.saberend' is encoded with a custom Base64 alphabet which contains a follow-on C2 address and a port separated with an uppercase 'W'.

SPEAR developed the following Python snippet to aid in decoding the Saber C2 messages:

Figure 1: Python Script to Decode Saber C2 Messages

The exact URLs varied among samples, but SPEAR was able to identify the following C2 URLs:

URL: http://blog.csdn[dot]net/u013761036/article/details/45542243 Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahES+mEMaMSLcgSTjNIPch0PIz.saberendAccessed: 814,896 times = Number of page visits at the time of writingDecodes to: gotofindsocketsvcW118.123.19.9W25965#

URL: http://blog.csdn[dot]net//saber00001//article//details//50444103Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahIN+mIOcgSR+mIMbo4MbhnSala.saberend Accessed: 2,167,985 times = Number of page visits at the time of writingDecodes to: gotofindsocketsvcW123.249.7.226W25982#

URL: http://blog.csdn[dot]net//saber00002//article//details//50444149 Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahIN+mIOcgSR+mIMbo4MbhnSala.saberendAccessed: 1,257,722 times = Number of page visits at the time of writingDecodes to: gotofindsocketsvcW123.249.7.226W25982#

URL: http://blog.csdn[dot]net//saber00003//article//details//50444185 Contained: saberstart.IQ5y5GXp2kTn4QXm2QjO4R1mjNEMaMSMbDnxcDExamAMjNIPch8PIz.saberendAccessed: 474,514 times = Number of page visits at the time of writingDecodes to: #gotofindsocketsvcW123.249.81.202W25985#

URL: http://blog.csdn[dot]net//saber00004//article//details//50444188 Contained: saberstart.IQ5y5GXp2kTn4QXm2QjO4R1mjNEMaMSMbDnxcDExamAMjNIPch8PIz.saberendAccessed: 486,925 times = Number of page visits at the time of writingDecodes to: #gotofindsocketsvcW123.249.81.202W25985#

URL: http://blog.csdn[dot]net//asdasdasdasddadasd//article//details//50443203 Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahES+mEMaMSLcgSTjNIPch0PIz.saberendAccessed: 3,333,320 times = Number of page visits at the time of writingDecodes to: gotofindsocketsvcW118.123.19.9W25965#'

URL: http://blog.csdn[dot]net//dasdmkdwovcs//article//details//50925619 Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahIN+mIOcgSR+mIMbo4MbhnSala.saberendAccessed: 7,475,132 times = Number of page visits at the time of writingDecodes to: gotofindsocketsvcW123.249.7.226W25982#

URL: http://blog.csdn[dot]net//u013761036/article/details/45542243 Contained: saberstart.1QXO3Q1s3pfN3Qbu1/fN5pb/ahES+mEMaMSLcgSTjNIPch0PIz.saberendAccessed: 983,239 times = Number of page visits at the time of writingDecodes to: gotofindsocketsvcW118.123.19.9W25965#

SPEAR was able to successfully emulate the remote C2 server, and during testing we were able to send and remotely execute any command on the (hypothetical) victim system.

Saber Relationships

While researching the Saber family we found a similar .PDB file path in several samples:

The malware author originally employed the username ‘Excalibur_C’ (similar to the .PDB file paths) when creating the C2 page:

‘http://blog.csdn[dot]net/u013761036/article/details/45542243’

This was the earliest post that SPEAR was able to identify that contained the encoded Saber commands, with a post date of 2015-05-06 22:20. The same author made numerous other programming related posts in addition to this page:

Figure 2: Excalibur Blog Posts

Since the time we first started working on this write-up, the Saber author has presumably gained some additional attention and it seems the username and icon on the blog were changed as a result:

Figure 3: Excalibur's New Username

SPEAR also identified a newer variant during our investigation and subsequent write-up. The compile timestamp indicated that the sample was compiled on August 3, 2016. The newer variant leveraged two different domains:

The variant also downloaded additional 7-Zip self-extracting archives that ultimately installed the Saber malware onto the infected system. Several other signed variants have also been distributed from the domain:

‘dhd29up7zcdyt(dot)cloudfront.net’

‘Cloudfront.net’ belongs to Amazon’s content delivery network, Amazon CloudFront. This recent move could indicate the attackers are looking for a more robust means of distribution to continue spreading their malware.

The Kitkiot family

Kitkiot malware has been publicly linked to the ‘dns-syn[dot]com’ domain which has direct ties to the group courtesy of Blue Coat Systems’ research. Kitkiot provides backdoor functionality and is commonly installed alongside other types of malware. It has previously been documented and used to perform DDoS attacks, function as a proxy server and perform click-through advertising fraud. We found numerous instances in which Kitkiot variants were written specifically to target online gaming platforms and modify values stored in databases and other online network communications.

Existing public information about this malware family is available via these links:

Stolen Certificates and Relationships to PassCV

SPEAR identified roughly eighteen previously undisclosed stolen Authenticode certificates. Interestingly, not all of the certificates were stolen from game companies. It appeared the group had also started to branch out into signed adware. This may seem odd at first, but most security researchers are somewhat numb to the consistent barrage of so-called legitimately signed adware, so a more advanced backdoor signed with the same certificate could easily be overlooked.

The first new connection SPEAR identified was derived from an email address listed in Blue Coat Systems' original report on PassCV. The email address ‘13581641274(at)163.com’ which was used to register the domain ‘aresgame[dot]info’ was reused in 2015 to register the domains ‘fengzigame[dot]net’ and ‘roboscan[dot]net’. Both domains were designed to look like their legitimate counterparts, ‘fengzigame.com’ and ‘roboscan.com’.

SPEAR found several NetWire variants that communicated to subdomains off of the aforementioned domains, and identified another larger cluster of activity that was specifically targeted at game developers using similar variants. All of the variants communicated to domains that were extremely similar to other popular gaming framework websites, and contained code to harvest stored password information as well as log keystroke data.

The C2 domain ‘cocoss2d[dot]com’ mimicked the original website for the Cocos2d gaming framework, ‘http://cocos2d.org/’, used in popular mobile games such as Badland. The C2 domain ‘unitys3d[dot]com’ was designed to impersonate the website of the Unity engine, ‘https://unity3d.com/’, a gaming engine licensed across multiple gaming platforms and more recently in popular mobile games like Pokémon Go.

Many of the identified samples also contained a common unique mutex, ‘{332222A-33A3-2222-AAAA-3A22AA333}’, which allowed SPEAR to identify a number of additional compromised certificates.

One of the samples identified through this method was:

95a33b0c5f2408adabbebeba6f4c618ba2b392f9dbcd1d9a9ff9db5a519380d8

This led to the discovery of another sample:

ad2a42e4024a320ce763524e17ef7262add649651e2a277b5fc56a9bdc44e449

It was signed with a certificate belonging to AmazGame, a Beijing-based gaming company. The sample also contacted the domain ‘waw.css2[dot]com’, intended to mimic another domain related to the Cascading Style Sheets 2.0 specification:

Issued to: Syncopate LLC

Current Status: Valid

Syncopate is a well-known Russian company that is best known as the developer and operator of the ‘GameNet’ platform. GameNet was first identified as being a likely victim of the Winnti group here, although no associated code-signing certificates were identified at that time. Similarly, in that same blog post ‘Zemi Interactive’ was also identified as being a likely victim from the same attacks. The evidence presented above strengthens the claim that the Winnti and PassCV groups are closely related.

During the course of this investigation, SPEAR also identified that NHN’s (Naver Corporation) code-signing certificates were compromised, but it appeared to be related to a substantially different attack set that SPEAR hopes to shed some light on in the near future.

Blue Coat Systems originally identified additional connections based upon domain registrant information with the email addresses ‘huise123(at)yahoo.com’ and ‘rebot(at)126.com’. It is possible that the original stolen code-signing certificates were shared among multiple groups and only more recently deployed by the attackers. However, SPEAR has not found any significant evidence to support this hypothesis.

SPEAR identified another sample:

dff0fee3bef9fa2c9c08a6d2c5772e51c1d29522de19301fb389b310e481713f

It was signed using the Beijing AmazGame certificate. The sample beaconed back to the domain ‘task.dns-syn[dot]com’. ‘bot[dot]dns-syn[dot]com’ was previously documented in Blue Coat Systems’ write-up as being registered using the email address ‘rebot(at)126.com’. This email address was subsequently linked to the domain ‘timewalk[dot]me’, which was documented in other RATs associated with the Winnti group.

This particular subdomain served a unique purpose, which was to provide additional tasking and to instruct the malware to target a specific online gaming platform. In the case of this particular sample, the targeted gaming platform was 'http://20012.com/'. After analysis of several other similar signed samples, SPEAR found they were all targeted at various individual online and mobile gaming platforms.

SPEAR was able to identify additional samples that utilized these stolen Authenticode certificates, which created an interesting pivot point and led to the discovery of several additional compromised certificates.

Conclusion

The PassCV group continues to be extremely effective in compromising both small and large game companies and surreptitiously using their code-signing certificates to infect an even larger swath of organizations. Since the last report, the group has significantly expanded its targets to include victims in the United States, Taiwan, China and Russia.

SPEAR researchers were surprised to find that a good portion of the old infrastructure exposed by Blue Coat Systems remains active to this day. However, it was also apparent that the attackers paid attention to the news, as they let several of the exposed domains lapse and registered extremely similar domains shortly thereafter. The overall operational security of the group has also improved and more recent domains were registered using private WHOIS services and other previously undisclosed email addresses.

Interestingly, most of the malicious binaries were countersigned, which allowed the expired certificates to continue to be valid long past their expiration date. SPEAR has time and time again observed that this particular “feature” of Microsoft Authenticode Certificates is easily and readily abused by malicious actors. Even some recent academic papers pointed out that the binary’s Authenticode certificate will continue to be valid if a malicious binary is time stamped (countersigned), validly signed and the certificate is subsequently revoked. SPEAR has not identified any samples related to the PassCV group that would support the author of the paper’s conclusion, but samples of this nature would indicate that Authenticode signing is indeed rather broken.

While the motivations of the attackers aren’t entirely clear, SPEAR believes that the attackers are most likely profiting financially in some way. This could include subverting the in-game economies of the companies they compromise, reselling the stolen code-signing certificates, offering malware signing services or by creating their own private VPN infrastructure from machines within the compromised organizations.

SPEAR identified one binary in particular that fueled this speculation:

8748c19ec86011a77e313e0ea9dd9d0315eed274288585f3663f57e5b8960bdf

The binary was signed with the stolen code-signing certificate from Beijing ‘AmazGame’ and was named ‘Proxy.exe’. The file communicated with a website ‘www.proxy456(dot)com’, registered using the email-address ‘plus3k(at)gmail.com’. This email address was previously used to register the following C2 domains used by the PassCV group from 2012 to 2014:

Proxy456 claims based on a rough translation to be “China’s first integrated cloud proxy software” and at first glance appears to be a semi-legitimate VPN provider. SPEAR also found anecdotal evidence to suggest that the in-game economies of several popular online Chinese gaming communities were being specifically targeted via unique Kitkiot variants.

Even though the motivations of the attackers aren’t entirely obvious, the PassCV group continues to be extremely effective at compromising small gaming companies and SPEAR believes it to be only a matter of time before they set their sights on larger organizations.

The Cylance Threat Research TeamThe Cylance Threat Research team examines malware and suspected malware to better identify its abilities, function and attack vectors. Threat Research is on the frontline of information security and often deeply examines malicious software, which puts us in a unique position to discuss never-seen-before threats.Author's Bio